CISSP Topic 2 Access Control 1 of 2

Home / CISSP Topic 2 Access Control 1 of 2

CISSP Topic 2: Access Control - 1 of 2

The fundamentals of the access control within the CISSP exam

March 9, 2013

Confidentiality: The assurance that information is not disclosed to unauthorized individuals, programs or processes.

Integrity: Information must be accurate, complete and protected from unauthorized modification.

Availability: Information, systems and resources need to be available to users in a timely manner so productivity will not be affected.

Identification: Describes a method of ensuring that a subject (user, program or process) is the entity it claims to be. Identification can be verified through the use of a credential.

Biometics: Verifies an individual�s identity by a unique personal attribute, which is one of the most effective and accurate methods of verifying identification.

Biometric Measurements

FRR (False Rejection Rate) or Type I Error: The percentage of valid subjects that are falsely rejected.

FAR (False Acceptance Rate) or Type II Error: The percentage of invalid subjects that are falsely accepted.

CER (Crossover Error Rate): The percent in which the False Rejection Rate equals the False Acceptance Rate.

Other factors that must be considered:

Enrollment time: The time it takes to initially �register� with a system by providing samples of the biometric characteristic to be evaluated.

Throughput rate: The rate at which individuals can be processed and identified or authenticated by a system.

Acceptability: Considerations of privacy, invasiveness and psychological and physical comfort when using the system.

Types of biometric systems

Fingerprints: Are made up of ridge endings and bifurcations exhibited by the friction ridges and other detailed characteristics that are called minutiae.

Palm Scan: The palm has creases, ridges and grooves throughout it that are unique to a specific person.

Hand Geometry: The shape of a person�s hand (the length and width of the hand and fingers) measures hand geometry.

Retina Scan: Scans the blood-vessel pattern of the retina on the backside of the eyeball.

Iris Scan: Scan the colored portion of the eye that surrounds the pupil.

Signature Dynamics: Electrical signals of speed and time that can be captured when a person writes a signature.

Keyboard Dynamics: Captures the electrical signals when a person types a certain phrase.

Voice Print: Distinguishing differences in people�s speech sounds and patterns.

Facial Scan: Takes attributes and characteristics like bone structures, nose ridges, eye widths, forehead sizes and chin shapes into account.

Hand Topology: Looks at the size and width of an individual�s hand and fingers.

Other authentication characteristics

Authentication: The subject is required to provide a second piece to the credential set.

Passwords: Is a protected string of characters that is used to authenticate an individual.

Clipping level:An allowed number of failed logon attempts to happen before a user is locked out.

Password checkers: Test of user-chosen passwords.

Password Generators: Generators that produce users� passwords.

Password Aging: Expiration dates for passwords.

Limit Login Attempts: Threshold set to allow only a certain number of unsuccessful login attempts.

Cognitive password: Fact or opinion based information used to verify an individual�s identity.

One-time passwords / dynamic password: After the password is used, it is no longer valid.

Token Device: Is a password generator that uses a challenge response scheme.

Synchronous token device: Synchronizes with the authentication service by using time or an event as the core piece of the authentication process.

Time based synchronous token device: The device and the authentication service must hold the exact same time within their internal clocks.

Event-synchronization: The user may need to initiate the logon sequence on the computer and push a button on the token device.

Asynchronous token device: Uses challenge-response scheme to communicate with the authenticate with the authentication service.

Cryptographic Keys: Presenting a private key or a digital signature.

Passphrase: Is a sequence of characters that is longer than a password. The user enters this phrase into an application and the application transforms the value into a virtual password.

Memory Card: A card that holds information, but does not process information.

Smart Card: A card that has the capability of processing information because it has a microprocessor and integrated circuits incorporated into the card itself. A smart card also provides a two-factor authentication method because the user has to enter a user ID and PIN to unlock the smart token.

Authorization

Granting access to a subject to an object after the object has been properly identified and authenticated.

Need-to-know: Users will only have the necessary rights and permissions they need to fulfil the obligations of their jobs within the company.

Single Sign-on

Capabilities that would allow a user to enter credentials one time and be able to access all resources in primary and secondary network domains.

Scripting: Batch files and scripts that contain each user�s ID, password and logon commands necessary for each platform.

Because scripts contain credentials, they must be stored in a protected area and the transmission of the scripts must be dealt with carefully.

Kerberos

Uses symmetric key cryptography and provide end-to-end security

Main components

KDC (Key Distribution Center): Holds all users� and services� cryptographic keys. It provides authentication services, as well as key distribution functionality. The KDC provides security services to entities referred to as principals, that can be users, applications or services. A ticket is generated by the KDC and given to a principal when that principal needs to authenticate to another principal. A KDC provides security services for a set of components and principals. This is called realm in Kerberos.

AS (Authentication Service): Is the part of the KDC that authenticates a principal

TGS (Ticket Granting): Is the part of KDC that makes the tickets and hands them out to the principals.

Weaknesses:

The KDC is a single point of failure

The AS must be able to handle a huge amount of requests

Secret keys are temporarily stored on users� workstations

Session keys are decrypted and reside on the users� workstations

Is vulnerable to password guessing

Network traffic is not protected

When a user changes his password, it changes the secret key and the KDS needs to be updated

About the author
Daniel is a Technical Manager with over 10 years of consulting expertise in the Identity and Access Management space.
Daniel has built from scratch this blog as well as technicalconfessions.com
Follow Daniel on twitter @nervouswiggles

Comments

Other Posts

AWS-PHP integration - Email not sent. SMTP Error: Could not authenticate.

phpsmtpaws

February 6, 2020

Created by: Daniel Redfern
AS I was migrating my environment into an S3 environment, I wanted to leverage off the SES services that AWS provide, more specifically, to leverage the off the SMTP functionality by sending an email via PHP
Read More...

SOLUTION: no headers files (.h) found in softwareserial - Arduino

Arduino

February 24, 2019

Created by: Daniel Redfern
The WeMos D1 is a ESP8266 WiFi based board is an extension to the current out-of-the-box library that comes with the Arduino installation. Because of this, you need to import in the libraries as well as acknowledging the specific board. This process is highly confusion with a number of different individuals talking about a number of different ways to integrate.
Read More...

NameID element must be present as part of the Subject in the Response message

ShibbolethSAML

August 7, 2018

Created by: Daniel Redfern
NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration.
Read More...

HOW TO provision AD group membership from OpenIDM

OpenIDMICFAD-connector

June 15, 2018

Created by: Daniel Redfern
For what I see, there's not too many supportive documentations out there that will demonstrate how provision AD group membership with the ICF connector using OpenIDM. The use of the special ldapGroups attribute is not explained anywhere in the Integrators guides to to the date of this blog. This quick blog identifies the tasks required to provision AD group membership from OpenIDM to AD using the LDAP ICF connector. However this doesn't really explain what ldapGroups actually does and there's no real worked example of how to go from an Assignment to ldapGroups to an assigned group in AD. I wrote up a wiki article for my own reference: AD group memberships automatically to users This is just my view, others may disagree, but I think the implementation experience could be improved with some more documentation and a more detailed example here.
Read More...

ForgeRock OpenIDM - InvalidCredentialException: Remote framework key is invalid

ICFIDMOpenIDMOpenICF

November 8, 2017

Created by: Daniel Redfern
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...

org.forgerock.script.exception.ScriptCompilationException: missing ; before statement

IDMsync.confforgerockopenidm

November 8, 2017

Created by: Daniel Redfern
org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...

ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statemen

OpenIDMsync.confForgeRock

September 17, 2017

Created by: Daniel Redfern
ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...

Caused by: org.forgerock.json.resource.BadRequestException: Target does not support attribute groups

OpenIDMForgeRockICFConnector

September 17, 2017

Created by: Daniel Redfern
When performing the attempt of a reconciliation from ForgeRock IDM to Active Directory, I would get the following error
Read More...

ForgeRock OpenIDM - InvalidCredentialException: Remote framework key is invalid

OpenIDMForgeRockICFConnectorAD

September 17, 2017

Created by: Daniel Redfern
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...

ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_g

OpenIDMIDMGoogleGoogle-AppsICFreconciliation

September 12, 2017

Created by: Daniel Redfern
During the reconcilation from OpenIDM to the ICF google apps connector, the following error response would occur. ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_grant
Read More...

Tags

11g AD AD connector Adapters ant API Apple OSX AQ Arduino Authentication aws Bi Publisher 11g CAS CISM CISSP Connector Connectors cryptography Deployment Manager Design Console Eclipse Eclipse IDE Enterprise Manager Excel ForgeRock ForgeRock Agents ForgeRock OpenIDM Google Google Apps Google Chrome IAM ICF IDM IDP iReports J2EE JAVA Java 8 JAX-WS JDBC JDeveloper JDeveloper 11g JDeveloper 12c JMS JNDI JSP Just For Fun JWT Keystore keystores LDAP ldapsearch Logging MAC MDS metadata O365 OAM OAM 11g OCPJP OCPJP 7 ODI OEG OEL Office 365 OHS OIA OIA 11g OID 11g OIF OIM OIM 10g OIM 11g OIM 11gR2 OIM 11gR2 PS2 OIM11g OIM11GR2 OIM11gR2PS2 OPAM 11g OPatch OpenAM OpenAM 12.x OpenAM 12x OpenAM J2EE Agents OpenDJ OpenICF OpenIDM ORA-Errors Oracle Oracle AQ Oracle Database Oracle Databases Oracle Linux OrientDB PHP PKI Plugin Plugins Powershell PSU Queue Queues RCU Reconciliation RHEL SAML SAML2 SEO Servlet Shibboleth Shibboleth IDP Shibboleth SP smtp SOA Spring Spring Security SQL SQL Developer sync.conf Technical Confessions Tomcat Topics UNIX VirtualBox Virtualization VM VMware Web Services Weblogic Windows WLS WLST

Recent Posts

AWS-PHP integration - Email not sent. SMTP Error: Could not authenticate.

SOLUTION: no headers files (.h) found in softwareserial - Arduino

NameID element must be present as part of the Subject in the Response message

HOW TO provision AD group membership from OpenIDM

ForgeRock OpenIDM - InvalidCredentialException: Remote framework key is invalid

org.forgerock.script.exception.ScriptCompilationException: missing ; before statement

Monthly Activity

Group by date

2012
April 2012 (5)
June 2012 (3)
July 2012 (4)
August 2012 (20)
September 2012 (12)
October 2012 (14)
November 2012 (26)
December 2012 (7)

2013
January 2013 (4)
February 2013 (14)
March 2013 (50)
April 2013 (3)
May 2013 (2)
July 2013 (17)
August 2013 (20)
September 2013 (5)
October 2013 (3)
November 2013 (5)
December 2013 (1)

2015
January 2015 (6)
February 2015 (12)
March 2015 (21)
April 2015 (5)
May 2015 (2)
June 2015 (6)
July 2015 (2)
August 2015 (12)
September 2015 (1)
October 2015 (12)

2014
January 2014 (1)
February 2014 (8)
March 2014 (12)
April 2014 (4)
May 2014 (20)
June 2014 (14)
July 2014 (4)
August 2014 (21)
October 2014 (7)
November 2014 (11)
December 2014 (10)

2017
February 2017 (1)
May 2017 (3)
June 2017 (3)
August 2017 (1)
September 2017 (4)
November 2017 (2)

2016
February 2016 (3)
March 2016 (1)
April 2016 (1)
May 2016 (5)
October 2016 (1)
November 2016 (2)
December 2016 (2)

2018
June 2018 (1)
August 2018 (1)

2019
February 2019 (1)

2020
February 2020 (1)

Popular Tags:

Technical Confessions

Security Confessions

About

TechnicalConfessions.com
UI built by Daniel Redfern

Born:
23rd April, 2012

Last significant Design Update:
24th December, 2016

Last Blog update:
6th February, 2020